XSS Defense #1: Inbound Blacklist Regex Filters

XSS Defense #2: JS Sandbox Injection

This defensive layer uses ModSecurity's Data Modification capability (@rsub operator) to insert Gareth Heyes' (
@garethheyes
) JS Sandbox called
MentalJS
to the beginning of html responses.
It is important to understand what a JS sandbox is and how it works. You may be able to execute JS code however it is in a sandboxed environment.
For example - preventing a JS alert popup box is not the goal here but rather protecting DOM elements from being accessed
.

Challenge Goals

Your challenge is twofold:

1. Filter Evasion

You must execute a reflected XSS attack accessing one of the DOM elements listed below
WITHOUT
triggering an XSS filter alert. XSS Fitler Alerts will be displayed below.

2. Escape from the MentalJS JavaScript Sandbox

You must bypass the MentalJS JS Sandbox protections and successfully execute a reflected XSS attack that executes JS code in your browser. A successful attack will be able to access one of the following DOM elements:

Trigger the youWon JS function

Access document.location that is not undefined or sandboxed

Access document.cookie that is not undefined or sandboxed

You may toggle On/Off the defenses by checking the box in the form below. This includes disable the MentalJS Sandbox injection and also will add the X-XSS-Protection: 0 response header to temporarily disable any browser side XSS filtering. This will help to facilitate testing of working XSS payloads.

Challenge Submission

If you are successful, please notify us at any of the following places: